Why and how GDPR applies to people globally
Privacy and data protection are fundamental rights. When respected they help improve trust and reduce power imbalances. Individuals should have rights over their personal data, regardless of who holds or processes it, and effective ways to enforce those rights, through independent bodies.
While not an ideal solution, GDPR gives individuals more control over their personal data. Rather than burdening individuals with managing and protecting their data, the onus will be on the companies to do so. Fundamentally, people should not have to become data protection experts to protect their data from exploitation.
Will the GDPR will benefit people outside the European Union?
Even though the GDPR was primarily designed in (and for) the European Union, given the global nature of internet platforms, data flows and the jurisdictional reach of the regulation, GDPR will have a wider impact. Companies should adapt their data practices, privacy policies, controls, and operations for all of their users, without geographical distinctions – where GDPR provides a higher standard. Many of them are already doing so.
As a consequence, individuals all over the world will enjoy a greater degree of control over their data by limits being placed on the way it can be used by others and having rights, such as the right to know how their data is being used, to access, rectify, delete, and port it. Even if the extent of such greater control outside the European Union remains to be seen, expanding such protections seems like a step in the right direction. GDPR should be seen as a baseline which can be added to by stronger national protections.
Control means an individual has rights over their data, but this doesn’t mean the burden is only on the individual. Rather, as is made clear through the GDPR: there is a role for legislators in providing strong rights in law; there is a role for industry in designing systems that by default protect our data, to fulfil their obligations and permit individuals to realise their rights; and there is a role for regulators to provide guidance about these rights and to take action when they are violated.
How will people have more power over their data under the GDPR?
Most legal instruments on data protection, both national and international, are based on a set of key principles. The same goes for the GDPR, which is built on the principles already outlined in previous instruments, such as the European Data Protection Directive 95/46, or the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
These principles include that personal data must be processed lawfully and fairly; for specific, explicit and legitimate purposes; be adequate, relevant and limited to what is necessary; accurate; retained only as long as necessary; and kept secure. Some key additions to those principles under GDPR are the requirements of transparency and accountability.
If somebody is processing personal data, they must do this in a way that is transparent to the individual whose data is being processed. This means clear, concise and accessible privacy notices. This is one of the reasons why people everywhere are getting so many emails and notifications alerting them to new and more clear privacy policies and terms of service.
In terms of accountability, companies are responsible for and must be able to demonstrate compliance with all the data protection principles. GDPR places a number of related obligations on companies that are subject to it, including carrying out data protection impact assessments, appointing data protection officers, keeping records of processing operations and having contracts in place when sharing data.
In terms of digital security, the regulation also introduces mandatory data breach reporting to the regulator within 72 hours, and in high risk cases to individuals. The GDPR also includes privacy by design and by default. This means that the burden is on companies to protect personal data from the very outset. Systems should be designed in a way that minimises the processing of personal data to what is necessary for a specific purpose and to protect by default personal data from being used for other purposes.
For a list of rights people have over their data, see this.
Global Data Protection, beyond the GDPR
International data protection doesn’t end at the GDPR. There are other instruments aiming to improve global data protection standards, with one of the most important ones and the only binding international treaty in the field being the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of the Council of Europe (“Convention 108”).
An interesting fact about this treaty is that it is not restricted to members of the Council of Europe, and among its parties we can find countries such as Mauritius, Senegal, Tunisia and Uruguay.
The Convention 108 was signed on 1981, and is now being updated to include innovations, among other things, on proportionality, data minimisation, accountability, privacy by design, obligation to declare data breaches, transparency of data processing, safeguards for decision based on automatic processing. All of these innovations will reinforce the principles and rights that are also contained in the GDPR, and will also help expanding data protection rights outside the European Union and around the world.
Data protection rights are globally expanding, and this expansion it is not only limited to the entering into force of the GDPR but is also being driven by other processes such as the modernisation of the Convention 108, and a renewed consciousness of the need and importance of data protection. In other words, the tide seems to be turning in favour of more and better data privacy protections around the world.